Security

In transit. All connections to the Service use TLS 1.2 or higher. HSTS is enforced and we redirect HTTP to HTTPS.

At rest.Documents, database content, and backups are encrypted using AES-256. Encryption keys are managed by the cloud provider's KMS and rotated on a defined schedule.

User passwords are hashed with bcrypt (12 salt rounds). Sessions use short-lived access tokens (15 min) paired with rotating refresh tokens (30 days). Tokens are stored in HTTP-only, Secure, SameSite cookies.

Within the Service, role-based access control isolates Admins, Firm Admins, Lawyers, and Paralegals. Each API request is checked against the firm workspace ID — there is no cross-firm data access.

Single Sign-On via SAML 2.0 is available on the Enterprise plan.

Every record in the database is scoped to a firm. Document chunks, embeddings, conversations, and agent runs are filtered by firm ID at the query layer. We perform regular tests to verify isolation.

The Service runs on hardened cloud infrastructure with private networking between application and data tiers. Production access is restricted to a small number of operators with multi-factor authentication and is audited.

Infrastructure changes flow through code review and CI; production deploys require approval and produce immutable, signed artifacts.

Authentication events, billing changes, document access, and administrative actions are logged. Firm Admins on Professional and Enterprise plans can review audit logs from the dashboard.

Customer Data sent to model providers (e.g., Anthropic) is governed by enterprise terms that prohibit those providers from using your data to train their models. Prompts and outputs are not shared with other customers.

On account termination, Customer Data is deleted from production within 30 days. Backups expire on our standard rotation (typically 90 days). Customers may delete individual documents at any time from the vault.

We maintain an incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a breach affecting Customer Data, we will notify affected customers without undue delay and within the timelines set in our DPA.

Our security program is designed against SOC 2 controls. We support GDPR, UK GDPR, and CCPA/CPRA via our Data Processing Agreement. Compliance reports and questionnaires are available to Enterprise customers under NDA.

Employees complete security and privacy training at hire and annually. Production access follows least-privilege; we revoke access promptly upon role change or departure.

We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@elawplatform.com with reproduction steps. Please do not access data that is not your own, perform DoS testing, or publicly disclose before we've had reasonable time to remediate.

We will acknowledge receipt within two business days and provide a remediation timeline within ten.

Security questions or compliance documentation requests: security@elawplatform.com.